RFR (JAXP) JDK-8067170: Enable security manager on JAXP unit tests

[Daniel Fuchs]

On 26/07/16 00:53, huizhe wang wrote:
> To avoid having to grant the permission, the test may choose to read the
> property before setting the SecurityManager.  You might not be able to
> use TestNG Listeners in such case, or maybe you can by initializing the
> properties before the test starts.

Or you can use my trick with an AtomicBoolean for such cases:

set allowAll to true
try {
    read system property
} finally {
    set allowAll to false (or to the value it had before)
}

Adding a ThreadLocal<AtomicBoolean> allowAll to BasePolicy
for that purpose is very easy :-)

That should ensure that you only need to give those permissions
to the test that a regular user of the JAXP API would need to
use the JAXP API.

If the test read/writes an XML document from file, then the
FilePermission to read/write that document is something that
a regular user of JAXP would need. So those permission should
be granted to the test through Policy.

If the test reads/writes a system property or creates a directory
or create a class loader to set up an initial configuration for
the test to run, then this is not something a regular user of the
JAXP API would need - so it would then be legitimate to perform this
setup inside a block that sets allowAll to true to locally escape
permissions checks during this setup, thus avoiding to grant those
permissions to all in the Policy (alternatively you could use your
tmpPermissions trick to do that as well - but it is a bit more
complex and adds more clutter than a simple on/off switch).

cheers,

-- daniel